Not a "very small population" in the case of this "targeted" group (although iPhones were compromised rather than Macs):Keyword here is "targetted" -- almost always a very small population of users, usually running legacy systems and software who are unlikely to be frequenting this forum or running Malwarebytes (or any other modern anti-malware software) on their Macs.
(The attacks also infected non-targeted visitors to the malicious "watering hole" websites and infected Android and Windows systems, as well, though perhaps not Macs, which are probably scant in the targeted population.)Google said:A very deep dive into iOS Exploit chains found in the wild
... Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.
I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.